{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2026-25673","title":"Title"},{"category":"description","text":"An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.\n`URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Seokchan Yoon for reporting this issue.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2026-25673","url":"https://www.suse.com/security/cve/CVE-2026-25673"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1259141 for CVE-2026-25673","url":"https://bugzilla.suse.com/1259141"}],"title":"SUSE CVE CVE-2026-25673","tracking":{"current_release_date":"2026-03-04T00:27:13Z","generator":{"date":"2026-03-04T00:27:13Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2026-25673","initial_release_date":"2026-03-04T00:27:13Z","revision_history":[{"date":"2026-03-04T00:27:13Z","number":"2","summary":"vulnerabilities added,references added,severity changed from  to important"}],"status":"interim","version":"2"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"SUSE Linux Enterprise Module for Package Hub 15 SP7","product":{"name":"SUSE Linux Enterprise Module for Package Hub 15 SP7","product_id":"SUSE Linux Enterprise Module for Package Hub 15 SP7","product_identification_helper":{"cpe":"cpe:/o:suse:packagehub:15:sp7"}}},{"category":"product_name","name":"openSUSE Leap 15.6","product":{"name":"openSUSE Leap 15.6","product_id":"openSUSE Leap 15.6","product_identification_helper":{"cpe":"cpe:/o:opensuse:leap:15.6"}}},{"category":"product_version","name":"python-Django","product":{"name":"python-Django","product_id":"python-Django","product_identification_helper":{"cpe":"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/python-Django@?upstream=python-Django.src.rpm"}}},{"category":"product_version","name":"python311-Django","product":{"name":"python311-Django","product_id":"python311-Django","product_identification_helper":{"cpe":"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/python311-Django@?upstream=python-Django.src.rpm"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"python311-Django as component of SUSE Linux Enterprise Module for Package Hub 15 SP7","product_id":"SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django"},"product_reference":"python311-Django","relates_to_product_reference":"SUSE Linux Enterprise Module for Package Hub 15 SP7"},{"category":"default_component_of","full_product_name":{"name":"python-Django as component of SUSE Linux Enterprise Module for Package Hub 15 SP7","product_id":"SUSE Linux Enterprise Module for Package Hub 15 SP7:python-Django"},"product_reference":"python-Django","relates_to_product_reference":"SUSE Linux Enterprise Module for Package Hub 15 SP7"},{"category":"default_component_of","full_product_name":{"name":"python311-Django as component of openSUSE Leap 15.6","product_id":"openSUSE Leap 15.6:python311-Django"},"product_reference":"python311-Django","relates_to_product_reference":"openSUSE Leap 15.6"},{"category":"default_component_of","full_product_name":{"name":"python-Django as component of openSUSE Leap 15.6","product_id":"openSUSE Leap 15.6:python-Django"},"product_reference":"python-Django","relates_to_product_reference":"openSUSE Leap 15.6"}]},"vulnerabilities":[{"cve":"CVE-2026-25673","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2026-25673"}],"notes":[{"category":"general","text":"An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.\n`URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Seokchan Yoon for reporting this issue.","title":"CVE description"}],"product_status":{"known_not_affected":["SUSE Linux Enterprise Module for Package Hub 15 SP7:python-Django","SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django","openSUSE Leap 15.6:python-Django","openSUSE Leap 15.6:python311-Django"]},"references":[{"category":"external","summary":"CVE-2026-25673","url":"https://www.suse.com/security/cve/CVE-2026-25673"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1259141 for CVE-2026-25673","url":"https://bugzilla.suse.com/1259141"}],"threats":[{"category":"impact","date":"2026-03-03T17:02:51Z","details":"important"}],"title":"CVE-2026-25673"}]}